Adam, Thanks much for the reply. I will take a look at the code.
For the expiration part, do you think it would be a good idea to modify the LDAP schema to include the SSH Pubkey upload date and have a external script to scan the keys for their age and alert/remove the keys ? If yes could you please give me some pointers on how this can be done ? Thanks again. --Prashant On 23 December 2014 at 19:45, Adam Young <ayo...@redhat.com> wrote: > > On 12/22/2014 08:40 PM, Prashant Bapat wrote: > > Hi, > > We are planning to roll out FreeIPA for our AWS infrastructure to be the > central authentication service. Initially we plan to use the SSH publi > keys, user and group management by FreeIPA. We are looking at rolling out > the SSS on clients a little later. > > Two questions. > > 1. We need to be able to ensure that a user is limited only 2-3 SSH > keys. > > SSH keys are a string attribute with a validator. In order to limit the > number, you would need to modify the plugin here: > > > https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/util.py#n310 > > > > 2. We need some way of forcing these key rotation once in say 90 days. > > In our existing setup we use a SSH CA based authentication. It has its > own issues. But the rotation is handled by cert expiry every 90 days. > > > This is going to be harder. With password you can validate on login, but > there is caching involved with the public key, and I think you would need > to take that into account to force invalidation. This is why certs are > probably a better idea. > > Assuming you can flush the public keys fairly regularly, you would want to > put the expiration checking on the accessor for the key. This is a direct > ldap fetch and not managed by the IPA plugins. > > > Any suggestions/help would be appreciated. > > Thanks in advance. > > --Prashant > > > _______________________________________________ > Freeipa-devel mailing > listFreeipa-devel@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-devel > > > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel >
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel